Essential Eight for Law Firms and Consulting Firms: A Practical Guide

By Michael, Tier 1 Consulting

Published: July 2026

Law firms and boutique consulting firms hold confidential client information, payment instructions and access to other organisations' systems. That makes basic cyber security discipline important even when the firm is small and most technology is managed by an external provider.

The Essential Eight gives Australian organisations a structured way to improve that discipline. It is a set of mitigation strategies developed by the Australian Signals Directorate (ASD) for internet-connected information technology networks. It is not a product, a one-page checklist or a universal legal requirement. Used properly, it helps a firm choose a risk-based target, test its controls and build evidence that the controls continue to work.

The Eight Strategies in Plain Language

1. Application control

Allow only approved applications, scripts and other executable content to run. This reduces the chance that malicious software can execute after someone opens a harmful attachment or download.

2. Patch applications

Keep browsers, productivity software, PDF tools and other applications supported and patched. The required speed depends on the vulnerability and the maturity level you are targeting.

3. Restrict Microsoft Office macros

Disable macros where they are not needed and tightly control them where there is a genuine business requirement. A document received from outside the firm should not be able to run untrusted code by default.

4. User application hardening

Turn off risky or unnecessary features in common applications. This reduces the number of ways an attacker can misuse software that staff rely on every day.

5. Restrict administrative privileges

Give administrator access only to people and services that need it, for the duties that require it. Normal email and web browsing should not be performed through an administrator account.

6. Patch operating systems

Keep computers, servers and relevant network devices on supported versions and apply security updates according to the risk and target maturity level.

7. Multi-factor authentication

Require more than a password for important systems, remote access and privileged actions. For a professional services firm, that usually includes email, document platforms, practice or project systems, finance systems and administrator access.

8. Regular backups

Back up important data, software and configuration, protect backups from unauthorised access and test that information can actually be restored. A backup job marked successful is not the same as a proven recovery.

How the Maturity Model Works

ASD defines four maturity levels, from Maturity Level Zero to Maturity Level Three. Levels One to Three are designed to address increasing levels of attacker tradecraft and targeting. The requirements are cumulative.

The important point is consistency. ASD recommends that an organisation reach the same maturity level across all eight strategies before moving to a higher level. Strong multi-factor authentication does not make the organisation Maturity Level One if patching, backups or another strategy remains at Level Zero.

There is no single maturity target that suits every firm. Choose the target by considering:

  • the sensitivity of client and personal information;
  • access to client environments or trust and payment processes;
  • contractual, government panel or supply-chain requirements;
  • the likely threat actors and consequences of an incident; and
  • the cost and operational impact of the controls.

Record why the target is appropriate. If a client, insurer or government contract specifies a level, use the exact current requirement rather than assuming a general industry norm.

A Practical Approach for a Small Firm

Define the scope first

List the systems, users and providers that support the firm's work. Include staff laptops, email, identity, document storage, remote access, finance systems, business applications, backups and any servers. Clarify which systems are controlled by the firm, its IT provider or a software vendor.

Assess implementation and effectiveness

A policy or configuration screenshot shows intent, but not always effectiveness. Good evidence can include device and patch reports, identity settings, administrator account reviews, backup restore results, application-control tests and records of approved exceptions.

Fix urgent exposure without overstating maturity

If important accounts lack multi-factor authentication, unsupported software is in use, administrators browse the web through privileged accounts or backups have never been restored, address those risks promptly. Then continue across all eight strategies. Quick risk reduction is valuable, but it should not be reported as a maturity level until every applicable requirement for that level has been assessed.

Make ownership explicit

The security lead should set the target, accept or escalate risks and report progress. The IT provider may implement technical settings. System owners confirm business requirements. Partners or directors remain accountable for the decisions. Put those boundaries in writing so a control does not sit unowned between the firm and its provider.

Reassess after change

New software, mergers, staff changes, provider changes and major platform migrations can all alter the result. Treat the Essential Eight as an operating baseline that needs evidence and review, not as a one-off project.

What an Essential Eight Assessment Does Not Prove

Essential Eight maturity does not by itself prove compliance with the Privacy Act, satisfy every cyber insurance policy or create ISO 27001 certification. Those obligations have different scopes and evidence requirements. The Essential Eight can still be a strong technical baseline within a wider security and governance program.

What to Do Next

Start with a scoped assessment against the current ASD maturity model. The output should state the target level, current result for each strategy, evidence reviewed, exceptions, accountable owners and a prioritised improvement plan. It should be clear enough for partners and practical enough for the IT provider to act on.

Talk to us about compliance and cyber insurance readiness

Official References

Tier 1 Consulting provides senior cyber security governance, risk and compliance advice for Australian law firms and boutique consulting firms. Learn more about our compliance and cyber insurance service.